Security researchers have identified a new botnet, consisting of residential-grade TP-Link Archer routers, that has been used to target manufacturing, healthcare, and technology companies in the U.S., Australia, China and Mexico.
The Ballista botnet adds bots by leveraging CVE-2023-1389, a command injection vulnerability patched in 2023, to download malware on vulnerable TP-Link Archer routers. The malware can remove itself from the device to avoid detection, read configuration files, spread itself to other devices on the internet, run shell commands, and launch DDoS attacks.
The researchers assess, with moderate confidence, that Ballista is controlled by an unnamed threat actor based in Italy due to the discovery of an IP address and strings in the malware binary file indicating as much.
They named the botnet Ballista in a nod to the ancient Roman missile launcher.
Source: SecurityWeek
TP-Link routers are a popular choice among consumers looking for a reasonably priced residential-grade router that can support Wi-Fi 7 and multiple frequency bands. According to Shadowserver, there are approximately 140,000 TP-Link routers exposed to the internet worldwide, however, it’s unclear how many of these devices are vulnerable to CVE-2023-1389 and could thus be or become part of Ballista.
Image 1: Scan results for TP-Link routers (Source: Shadowserver)
Residential-grade routers make good targets for botnets because they are plentiful and rarely updated by the user after initial configuration. Logging into the router, checking for, and applying updates is simply beyond the technical abilities of most users, leaving the router unpatched and vulnerable to compromise.
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats to hardware like the Ballista botnet. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk botnet activity poses.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users to enable automatic updates for devices like residential-grade routers to ensure get the latest security updates as they come available. Additionally, users are reminded to make sure these devices are configured properly (e.g., restricting external access to management interfaces, disabling unnecessary services) and use strong passwords. Devices that have reached end-of-life status should be replaced as soon as possible.